New Directions in Cryptanalysis of Self-Synchronizing Stream Ciphers

Transcription

1 New Directions in Cryptanalysis of Self-Synchronizing Stream Ciphers Shahram Khazaei 1 and Willi Meier 2 1 EPFL, Lausanne, Switzerland 2 FHNW, Windisch, Switzerland Abstract. In cryptology we commonly face the problem of finding an unknown key K from the output of an easily computable keyed function F (C, K) where the attacker has the power to choose the public variable C. In this work we focus on self-synchronizing stream ciphers. First we show how to model these primitives in the above-mentioned general problem by relating appropriate functions F to the underlying ciphers. Then we apply the recently proposed framework presented at AfricaCrypt 08 by Fischer et. al. for dealing with this kind of problems to the proposed T-function based self-synchronizing stream cipher by Klimov and Shamir at FSE 05 and show how to deduce some non-trivial information about the key. We also open a new window for answering a crucial question raised by Fischer et. al. regarding the problem of finding weak IV bits which is essential for their attack. Keywords: Self-synchronizing Stream Ciphers, T-functions, Key Recovery. 1 Introduction The area of stream cipher design and analysis has made a lot of progress recently, mostly spurred by the estream [6] project. It is a common belief that designing elegant strong synchronizing stream ciphers is possible, however, it is harder to come up with suitable designs for self-synchronizing ones. Despite numerous works on self-synchronizing stream ciphers in the literature, there is not yet a good understanding of their design and cryptanalytic methods. Many self-synchronizing stream ciphers have shown not to withstand cryptanalytic attacks and have been broken shortly after they have been proposed. In this work we show how to model a self-synchronizing stream cipher by a family of keyed functions F (C, K). The input parameter C, called the public variable, can be controlled by the attacker while the input K is an unknown parameter to her called the extended key; it is a combination of the actual key used in the cipher and the unknown internal state of the cipher. The goal of the attacker would be to recover K or to get some information about it. The problem of finding the unknown key K, when access is given to the output of the function F (C, K) for every C of the attacker s choice, is a very common problem encountered in cryptography. In general, when the keyed function F looks like a random function, the best way to solve the problem is to exhaust the key space. However, if F is far from being a random function there might be more efficient methods. Recently, Fischer et. al. [7] developed a method to recover the key faster than by exhaustive search in case F does not properly mix its D.R. Chowdhury, V. Rijmen, and A. Das (Eds.): INDOCRYPT 2008, LNCS 5365, pp , c Springer-Verlag Berlin Heidelberg 2008

2 16 S. Khazaei and W. Meier input bits. The idea is to first identify some bits from C referred to as weak public variable bits and then to consider the coefficient of a monomial involving these weak bits in the algebraic normal form of F. If this coefficient does not depend on all the unknown bits of K, or it weakly depends on some of them, it can be exploited in an attack. Having modeled the self-synchronizing stream ciphers as the above-mentioned general problem, we consider the T-function based self-synchronizing stream cipher proposed by Klimov and Shamir [8] and use the framework from [7] to deduce some information about the key bits through some striking relations. Finding the weak public variable bits was raised as a crucial open question in [7] which was done mostly by random search there. In the second part of our work we try to shed some light in this direction in a more systematic way. The recently proposed cube attack by Dinur and Shamir [4], which has a strong connection to [7] and the present work, also includes some systematic procedure to find weak public variable bits. The rest of the paper is organized as follows. In section 2 we review the method from [7] and try to make the connection between [4] and [7] clearer. In section 3 we describe the self-synchronizing stream ciphers and explain how to derive keyed functions F (C, K) which suit the framework from [7]. Section 4 covers the description of the Klimov-Shamir T-function based self-synchronizing stream cipher along with its reduced word-size versions which will later be attacked in section 5 and 6. Section 6 also includes our new direction of finding weak bits in a systematic way. 2 An Approach for Key Recovery on a Keyed Function Notations. We use B = {0, 1} for the binary field with two elements. A general m- bit vector in B m is denoted by C =(c 1,c 2,...,c m ). By making a partition of C into U B l and W B m l, we mean dividing the variables set {c 1,c 2,...,c m } into two disjoint subsets {u 1,..., u l } and {w 1,..., w m l } and setting U =(u 1,...,u l ) and W = (w 1,...,w m l ). However, whenever we write (U; W ) we mean the original vector C. For example U =(c 2,c 4 ) and W =(c 1,c 3,c 5 ) is a partition for the vector C =(c 1,c 3,c 4,c 5 ) and (U; W ) is equal to C and not to (c 2,c 4,c 1,c 3,c 5 ).Wealsouse the notation U = C \ W and W = C \ U. A vector of size zero is denoted by. In this section we review the framework from [7] which was inspired by results from [1, 5, 11]. Let F : B m B n B be a keyed Boolean function which maps the m-bit public variable C and the n-bit secret variable K into the output bit z = F (C, K). An oracle chooses a key K uniformly at random over B n and returns z = F (C, K) to an adversary for any chosen C B m of adversary s choice. The oracle chooses the key K only once and keeps it fixed and unknown to the adversary. The goal of the adversary is to recover K by dealing with the oracle assuming that he has also the power to evaluate F for all inputs, i.e. all secret and public variables. To this end, the adversary can try all possble 2 n keys and filter the wrong ones by asking enough queries from the oracle. Intuitively each oracle query reveals one bit of information about the secret key if F mixes its input bits well enough to be treated as a random Boolean function with n + m input bits. Therefore, assuming log 2 n m, thenn key bits can be recovered by sending O(n) queries to the oracle. More precisely if the adversary asks the oracle n + β queries for some integer β 0, then the probability that only the unknown

3 New Directions in Cryptanalysis 17 chosen key by the oracle (i.e. the correct candidate) satisfies these queries while all the remaining 2 n 1 keys fail to satisfy all the queries is (1 2 (n+β) ) 2n 1 1 e 2 β (for β =10itisabout ). The required time complexity is O(n2 n ).However,if F extremely deviates from being treated as a random function, the secret key bits may not be determined uniquely. It is easy to argue that F divides B n into J equivalence classes K 1, K 2,...,K J for some J 2 n,seelemma1from[7].twokeysk and K belong to the same equivalence class iff F (C, K )=F(C, K ) for all C B m.let n i denotes the number of keys which belong to the equivalence class K i. Note that we have J i=1 n i =2 n. A random key lies in the equivalence class K i with probability n i /2 n in which case (n log 2 n i ) bits of information can be achieved about the key. The adversary on average can get J i=1 (n log 2 n i) ni 2 bits of information about the n n key bits by asking enough queries. It is difficult to estimate the minimum number of needed queries due to the statistical dependency between them. It highly depends on the structure of F but we guess that O(n) queries suffice again. However, in case where F does not properly mix its input bits, there might be faster methods than exhaustive search for key recovery. We are interested in faster methods of recovering the unknown secret key in this case. If one derives a weaker keyed function Γ (W, K) : B m l B n B from F which depends on the same key and a part of the public variables, the adversaryoracle interaction can still go on through Γ this time. The idea of [7] is to derive such functions from the algebraic expansion of F by making a partition of the m- bit public variable C into C = (U; W ) with l-bit vector U and (m l)-bit vector W.LetF(C, K) = α Γ α(w, K)U α where U α = u α1 1 uα2 2...uα l l for the multiindex α = (α 1,...,α l ).Inotherwords,Γ α (W, K) is the coefficient of U α in the algebraic expansion of F.Foreveryα B l, the function Γ α (W, K) can serve as a function Γ derived from F. The function corresponding to α =(1,...,1) is the coefficient of the maximum degree monomial. Previous works [5, 7] suggest that this function is usually more useful. We also only focus on the maximum degree monomial coefficient. Hence we drop the subscript α and write Γ (W, K) instead of Γ α (W, K) for α =(1,...,1). Inspired by the terminology of [4] we refer to U as cube vector and to Γ (W, K) as superpoly corresponding to cube vector U. Thanks to the relation Γ (W, K) = U B F ((U; W ), K), the adversary can still evaluate the superpoly for l any W of his choice and for the same chosen key K by the oracle. This demands that the adversary sends 2 l queries to the oracle for each evaluation of Γ. In order to have an effective attack we need to have a weak superpoly function. In [7] several conditions were discussed under which the superpoly can be considered as a weak function and potentially lead to an attack. Refer to [4] for more scenarios and generalizations. In this paper we look for cube vectors U such that their superpoly does not depend on a large number of key bits. We refer to those key bits which Γ (W, K) does not depend on as neutral key bits. This is a special case of the third scenario in [7] where probabilistic neutral bits were used instead. If the superpoly effectively depends on t k n key bits and t w m l public key bits, assuming these t k + t w bits are mixed reasonably well, the involved t k secret bits can be recovered in time t k 2 l+t k by sending O(t k 2 l ) queries to the oracle. However, if the superpoly extremely deviates from being treated as a random function, as we already argued, it may even happen

4 18 S. Khazaei and W. Meier that the t k key bits can not be determined uniquely. In this case one has to look at the corresponding equivalence classes to see how much information one can achieve about the involved t k key bits. In sections 5 and 6 we will provide some examples by considering Klimov-Shamir s self-synchronizing stream cipher. 2.1 Connection with Previous Works The attack is closely related to differential [2, 9] and integral [10, 3] kind of attacks, and the recent cube attack [4]. For l =0we have U = and W = C and hence Γ = F, that is we are analyzing the original function. For l =1let s take U =(c i ) and W = C \ (c i ) for some 1 i m. In this case we are considering a variant of (truncated) differential cryptanalysis, that is we have Γ (W, K) =F (C, K) F (C ΔC, K) where ΔC is an m-bit vector which is zero in all bit positions except the i-th one. For bigger l, this approach can be seen as an adaptive kind of higher order differential cryptanalysis. A more precise relation between the framework in [7] and (higher order) differential cryptanalysis seems to be as follows: The superpoly Γ (W, K), which computes the coefficient of the maximum degree monomial, is computed as the sum of all outputs F (C, K) where C =(U; W ) has a fixed part W and U varies over all possible values. This is what is also done in (higher order) differential cryptanalysis. However, in applications of the framework in [7], the values for W are often chosen adaptively. By adaptively we mean that a stronger deviation from randomness is observed for some specific choices for W (e.g. low weight W s) or even a specific value for W (e.g. W= 0). Whereas in most applications of (higher order) differential cryptanalysis, specific input values are of no favour. The recently proposed cube attack by Dinur and Shamir [4] still lies in the second scenario (condition) proposed in [7], having had been inspired by the earlier work by Vielhaber [12]. In [7] the public variable C was the Initial Vector of a stream cipher and the cube variables were called weak IV bits whenever the derived function Γ turned out to be weak enough to mount an attack. This concept can be adapted according to each context depending on the public variable (weak ciphertext bits, weak plaintext bits, weak message bits, etc). In general the terminology weak public variables can be used. On the whole, it is not easy to find week public variables. While [4] uses a more systematic procedure, [7] uses random search over cube vectors. In section 6, we will also take kind of systematic method. Another point which is worth mentioning is that cube attack [4] nicely works with complexity O(n2 d 1 ) if F is a random function of degree d in its m + n input bits. In this case the superpoly corresponding to any cube vector of size d 1 is weak, since it is a random linear function in key bits and remaining public variables. 3 Self-Synchronizing Stream Ciphers A self-synchronizing stream cipher is built on an output filter O : K S Mand a self-synchronizing state update function (see Definition 1) U : M K S M,where S, K and M are the cipher state space, key space and plaintext space. We suppose that the ciphertext space is the same as that of the plaintext. Let K Kbe the secret key, and {S i } i=0, {p i} i=0 and {c i} i=0 denote the sequences of cipher state, plaintext and ciphertext respectively. The initial state is computed through the initialization procedure

5 New Directions in Cryptanalysis 19 as S 0 = I(K, IV ) from the secret key K and a public initial value IV. The ciphertext (in an additive stream cipher) is then computed according to the following relations: c i = p i O(K, S i ), (1) S i+1 = U(c i,k,s i ). (2) Definition 1. [8] (SSF) Let {c i } i=0 and {ĉ i} i=0 be two input sequences, let S 0 and Ŝ 0 be two initial states, and let K be a common key. Assume that the function U is used to update the state based on the current input and the key: S i+1 = U(c i,k,s i ) and Ŝ i+1 = U(ĉ i,k,ŝi). The function U is called a self-synchronizing function (SSF) if equality of any r consecutive inputs implies the equality of the next state, where r is some integer, i.e.: c i =ĉ i,...,c i+r 1 =ĉ i+r 1 S i+r = Ŝi+r. (3) Definition 2. The resynchronization memory of a function U, assuming it is a SSF, is the least positive value of r such that Eq. 3 holds. 3.1 Attack Models on Self-Synchronizing Stream Ciphers There are two kinds of attack on synchronizing stream ciphers: distinguishing attacks and key recovery attacks 1. The strongest scenario in which these attacks can be applied is a known-keystream attack model or a chosen-iv-known-keystream attack if the cipher uses an IV for initialization. It is not very clear how applying distinguishing attacks make sense for self-synchronizing stream ciphers. However, in the strongest scenario, one considers key recovery attacks in a chosen-ciphertext attack model or in a chosen- IV-chosen-ciphertext attack if the cipher uses an IV for initialization. In this paper we only focus on chosen-ciphertext attacks. Our goal as an attacker is to efficiently recover the unknown key K by sending to the decryption oracle chosen ciphertexts of our choice. More precisely, we consider the family of functions {H i : M i K S M i =1, 2,...r},wherer is the resynchronization memory of the cipher and H i (c 1,...,c i,k,s)=o(k, G i (c 1,...,c i,k,s)), whereg i : M i K S Sis recursively defined as G i+1 (c 1,...,c i,c i+1,k,s)=u(c i+1,k,g i (c 1,...,c i,k,s)) with initial condition G 1 = U. Note that due to the self-synchronizing property of the cipher H r (c 1,...,c r,k,s) is actually independent of the last argument S, however, all other r 1 functions depend on their last input. The internal state of the cipher is unknown at each step of operation of the cipher but because of the self-synchronizing property of the cipher it only depends on the last r ciphertext inputs and the key. We take advantage of this property and force the cipher to get stuck in a fixed but unknown state S by sending the decryption oracle ciphertexts with some fixed prefix (c r+1,...,c 1 ) of our choice. Having forced the cipher to fall in the unknown fixed state S, we can evaluate any of the functions H i, i =1, 2,...,r, at any point (c 1,...,c i,k,s ) for any input (c 1,...,c i ) of our choice 1 One could also think of state recovery attack in cases in which the synchronizing stream cipher is built based on a finite state machine and the internal state does not easily reveal the key.

6 20 S. Khazaei and W. Meier by dealing with the decryption oracle. To be clearer let z = H i (c 1,...,c i,k,s ).In order to compute z for an arbitrary (c 1,...,c i ), we choose an arbitrary c i+1 M and ask the decryption oracle for (p r+1,...,p 1,p 0,...,p i+1 ) the decrypted plaintext corresponding to the ciphertext (c r+1,...,c 0,c 1,...,c i, c i+1 ).Wethensetz = p i+1 c i+1. To make notations simpler, we merge the unknown values K and S in one unknown variable K =(K, S ) K S, called extended unknown key. We then use the simplified notation F i (C, K) = H i (c 1,...,c i,k,s ) : M i (K S) M where C =(c 1,...,c i ). 4 Description of the Klimov-Shamir T-Function Based Self-Synchronizing Stream Cipher Shamir and Klimov [8] used the so-called multiword T-functions for a general methodology to construct a variety of cryptographic primitives. No fully specified schemes were given, but in the case of self-synchronizing stream ciphers, a concrete example construction was outlined. This section recalls its design. Let, +,, and respectively denote left rotation, addition modulo 2 64, multiplication modulo 2 64, bitwise XOR and bit-wise OR operations on 64-bit integers. The proposed design works with 64-bit words and has a 3-word internal state S =(s 0,s 1,s 2 ) T.A5-wordkey K =(k 0,k 1,k 2,k 3,k 4 ) is used to define the output filter and the state update function as follows: O(K, S) = ( (s 0 s 2 k 3 ) 32 ) ( ((s 1 k 4 ) 32) 1 ), (4) and ( ) ((s U ( c, K, S ) 1 s 2 2) 1) k 0 ( = ((s 2 s 0 ) 1) k 2 ( 1), (5) ) ((s 0 s 2 1) 1) k 2 where s 0 = s 0 c s 1 = s 1 (c 21) s 2 = s 2 (c 43). (6) Generalized Versions. We also consider generalized versions of this cipher which use ω-bit words (ω even and typically ω =8, 16, 32 or 64). For ω-bit version the number of rotations in the output filter, Eq. 4, is ω 2 and those of the state update function, Eq. 6, are ω 3 and 2ω 3, x being the closest integer to x. It can be shown [8] that the update function U is actually a SSF whose resynchronization memory is limited to ω steps and hence the resulting stream cipher is selfsynchronizing indeed. Our analysis of the cipher for ω =8, 16, 32 and 64 shows that it resynchronizes after r = ω 1 steps (using ω(ω 1) input bits). It is an open question if this holds in general.

7 New Directions in Cryptanalysis 21 Remark 1. In [8] the notation (k 0,k 1,k 2,k O,k O ) is used for the key instead of the more standard notation (k 0,k 1,k 2,k 3,k 4 ). The authors possibly meant to use a 3-word key (k 0,k 1,k 2 ) by deriving the other two key words (k O and k O in their notations corresponding to k 3 and k 4 in ours) from first three key words. However, they do not specify how this must be done if they meant so. Also they did not introduce an initialization procedure for their cipher. In any case, we attack a more general situation where the cipher uses a 5-word secret key K =(k 0,k 1,k 2,k 3,k 4 ) in chosen-ciphertext attack scenario. Moreover, for the 64-bit version the authors mentioned the best attack we are aware of this particular example [64-bit version] requires O(2 96 ) time, without mentioning the attack. 5 Analysis of the Klimov-Shamir T-Function Based Self-Synchronizing Stream Cipher Let ω (ω =8, 16, 32 or 64) denote the word size and r = ω 1 be the resynchronization memory of the ω-bit version of the Klimov-Shamir self-synchronizing stream cipher. Let B = {0, 1} and B ω denote the binary field and the set of ω-bit words respectively. Following the general model of analysis of self-synchronizing stream ciphers in section 3.1, we focus on the family of functions F i (C, K) :B i ω B8 ω B ω, i =1, 2,...,r where C =(c 1,...,c i ) and K =(K, S )=(k 0,k 1,k 2,k 3,k 4, s 0, s 1, s 2). We also look at a word b as an ω-bit vector b =(b 0,...,b ω 1 ), b 0 being its LSB and b ω 1 its MSB. Therefore any vector A = (a 0,a 1,..., a p 1 ) B p ω could be also treated as a vector in B p ω where the (iω + j)-th bit of A is a i,j,thej-th LSB of the word a i,for i =0, 1,...,p 1 and j =0, 1,...,ω 1 (we start numbering the bits of vectors from zero). Now, for any i =1,...,r and j =0,...,ω 1 we consider the family of Boolean functions F i,j : B iω B 8ω B which maps the iω-bit input C and the 8ω-bit extended key K into the j-th LSB of the word F i (C, K). Any of these keyed functions can be put into the framework from [7] explained in section 2. The next step is to consider a partitioning C =(U; W ) with l-bit segment U and (iω l)-bit segment W to derive the (hopefully weaker) functions Γi,j U : Biω l B 8ω B where Γi,j U is the superpoly in F i,j corresponding to the cube vector U. Whenever there is no ambiguity we drop the superscript or the subscripts. We may also use Γi,j U [ω] in some cases to emphasize the word-size. We are now ready to give our simulation results. Note: Instead of giving giving the variables of cube vector U we give the bit numbers. For example for ω =16,theset{0, 18, 31, 32} stands for the cube vector U = (c 1,0,c 2,2,c 2,15,c 3,0 ). Example 1. For all possible common word sizes (ω =8, 16, 32 or 64) we have been able to find some i, j and U such that Γ is independent of W and only depends on three key bits k 0,0, k 1,0 and k 2,0. Table 1 shows some of these quite striking relations. We also found relations Γ {3} 1,0 [8] = 1 + k 2,0 and Γ {6,7,8,9,10} 1,0 [16] = 1 + k 0,0 involving only one key bit. For ω =64, the three relations in Table 1 give 1.75 bits of information about (k 0,0,k 1,0,k 2,0 ).

8 22 S. Khazaei and W. Meier Table 1. Simple relations on three key bits (k 0,0,k 1,0,k 2,0) ω i j U Γi,j[ω] U {2} 1+k 0,0k 1,0 + k 0,0k 2,0 + k 1,0k 2, {5} 1+k 0,0k 1,0 + k 2,0 + k 0,0k 1,0k 2, {10} 1+k 0,0 + k 1,0k 2,0 + k 0,0k 1,0k 2, {11} 1+k 0,0k 1,0 + k 2,0 + k 0,0k 1,0k 2, {96, 97, 98} 1+k 0,0 + k 2,0 + k 0,0k 2, {21} 1+k 0,0k 1,0 + k 2,0 + k 0,0k 1,0k 2, {42} 1+k 0,0 + k 1,0k 2,0 + k 0,0k 1,0k 2, {20} 1+k 0,0k 1,0 + k 0,0k 2,0 + k 1,0k 2,0 A more detailed analysis of the functions Γi,j U [ω](w, K) for different values of i, j and U reveals that many of these functions depend on only few bits of their (iω l)-bit and 8ω-bit arguments. Let t w and t k respectively denote the number of bits of W and K which Γ effectively depends on. In addition let t k out of t k bits come from K and the remaining t s = t k t k bits from S (remember K =(K, S )). Table 2 shows these values for some of these functions. Having in mind what we mentioned in section 2 and being too optimistic, we give the following proposition. Table 2. Effective number of bits of each argument which Γ depends on. Note that the functions having the same number of effective bits do not necessarily have the same involved variables. ω i j U t k t w t k t s comment {1} {u} u {u} u {u} u {8} {18} {16} {34} {33, 34} {38, 39} {32} {66} {76, 77} {64} {130} {129, 130} {150, 151}

9 New Directions in Cryptanalysis 23 Proposition 1. If a function Γ U i,j is random-looking enough, recovering the t k unknown bits of the extended key takes expected time i t k 2 l+t k. The unity of time is processing one ciphertext word of the underlined self-synchronizing stream cipher. The factors 2 l and i come from the following facts: computing Γ from F i needs 2 l evaluations of F i (remember Γi,j U (W, K) = U B F i,j((u; W ), K)) and l computing F i needs i iterations of the cipher. Even if the ideal condition of Proposition 1 is not satisfied, the only thing which is not guaranteed is that the t k involved unknown bits are uniquely determined. Yet some information about them can be achieved. Refer to the note in section 2 regarding the equivalence classes. Example 2. Take the relation Γ {18} 3,0 [8](W, K) from Table 2. This particular function depends on t k = 5 bits (k 0,0,k 0,1,k 1,0,k 2,0,k 2,1 ) of the key and on t w = 7 bits (c 1,4,c 1,5,c 1,6,c 2,0,c 2,1,c 2,5,c 2,6 ) of the ciphertext. The ANF of this function is: Γ {18} 3,0 [8] = 1 + k 0,0k 0,1 + k 0,0 k 0,1 k 2,0 + k 2,0 k 2,1 + k 0,0 c 1,4 + k 0,0 k 2,0 c 1,4 + k 0,0 k 1,0 c 1,5 + k 0,0 k 1,0 k 2,0 c 1,5 + k 0,0 c 1,6 + k 0,0 k 2,0 c 1,6 + k 2,0 c 2,0 + k 0,0 k 2,0 c 2,0 + k 2,0 c 2,1 + c 2,0 c 2,1 + k 0,0 c 2,0 c 2,1 + k 2,0 c 2,0 c 2,1 + k 0,0 k 2,0 c 2,0 c 2,1 + k 1,0 k 2,0 c 2,5 + k 2,0 c 2,6. (7) This equation can be seen as a system of 2 tw = 128 equations versus t k =5unknowns. Our analysis of this function shows that only 48 of the equations are independent which on averagecan give3.5 bits of informationaboutthefive unknownbits (2 bits of information for 25% of the keys and 4 bits for the remaining 75% of the keys). Example 3. Take the relation Γ {33,34} 7,0 [16](W, K) from Table 2. This particular function depends on t k = 12 keybitsandont w = 33 ciphertext bits. Our analysis of this function shows that on average about 2.41 bits of information about the 12 key bits can be achieved (10 bits of information for 12.5% of the keys, 3 bits for 25% of the keys and 0.67 bits about the remaining 62.5% of the keys). Example 4. Take the relation Γ {38,39} 7,0 [16](W, K) from Table 2. This particular function depends on t k = 12 keybitsandont w = 30 ciphertext bits. Our analysis of this function shows that on average about 1.94 bits of information about the 12 key bits can be achieved (10 bits of information for 12.5% of the keys, 3 bits for another 12.5% of the keys and 0.42 bits for the remaining 75% of the keys). Example 5. Take the relation Γ {34} 7,0 [16](W, K) from Table 2. This particular function depends on t k = 16 keybitsandont w = 52 ciphertext bits. Our analysis of this function shows that on average about bits of information about the 16 key bits can be achieved (13 bits of information for 25% of the keys, 11 bits for 12.5% of the keys, 4 bits for another 12.5% of the keys, and 1 bit for the remaining 50% of the keys). For larger values of i we expect Γ to fit better the ideal situation of Proposition 1. Therefore, we give the following claim about the security of the 64-bit version of Klimov- Shamir s proposal.

10 24 S. Khazaei and W. Meier Table 3. Finding weak ciphertext bits in a systematic way (for Γ1,0[64]) U K W tk tw t k ts Time {41} {0 19, 21 30, , , } {0 9, 22 40, 42 63} {9, 41} {0 19, 21 29, , , } {0 8, 22 40, 42 63} {8, 9, 41} {0 19, 21 28, , , } {0 7, 22 40, 42 63} {7 9, 41} {0 19, 21 27, , , } {0 6, 22 40, 42 63} {6 9, 41} {0 19, 21 26, , , } {0 5, 22 40, 42 63} {1 9, 41} {0 19, 21, , , 469} {0, 22 40, 42 63} {1 9, 40, 41} {0 18, 21, , , 469} {0, 22 39, 42 63} {1 9, 39 41} {0 17, 21, , , 469} {0, 22 38, 42 63} {1 9, 34 41} {0 12, 21, , , 469} {0, 22 33, 42 63} {1 9, 33 41} {0 11, 21, , , 469} {0, 22 32, 42 63} {1 9, 32 41} {0 10, 21, , , 469} {0, 22 31, 42 63}

11 New Directions in Cryptanalysis 25 Proposition 2. We expect each of the functions Γ {129,130} 31,0 [64] and Γ {150,151} 31,0 [64] to reveal a large amount of information about the corresponding t k =84involved key bits for a non-negligible fraction of the keys. The required computational time is In [7] the bits of the set U were called weak IV bits. With the same terminology, here we call them weak ciphertext bits. How to find these weak bits was raised as an open question in [7]. In the next section we present a systematic procedure to find weak ciphertext bits, with the consequence of improving Proposition 2. 6 Towards a Systematic Approach to Find Weak Ciphertext Bits The idea is to start with a set U and extend it gradually. At each step we examine all the ciphertext bits which Γ U depends on, to choose an extended U for the next step which results in a Γ which depends on the least number of key bits. Table 3 shows our simulation results by starting from function Γ {41} 1,0 [64] from Table 2 which effectively depends on t k =90extended key bits and t w =51ciphertext bits. Similar to Proposition 2, one expects each of the functions Γ1,0 U [64] in Table 3 to reveal a large amount of information about the corresponding t k involved extended key bits (including t k effective key bits) for a non-negligible fraction of the keys in time t k 2 l+t k, as indicated in the last column. In particular by starting from the function in the bottom of Table 3, (the promised large amount of information about) the involved t k =12keybits and t s =33internal state bits can be gained in time (for a non-negligible fraction of the keys). Notice, that once we have the correct value for the unknown extended key for some function in Table 3, those of the previous function can be recovered by little effort. Therefore we present the following proposition. Proposition 3. We expect that by starting from Γ {1 9,32 41} 1,0 [64] and going backwards to Γ {41} 1,0 [64] as indicated in Table 3, a large amount of information about the involved t k =90unknown bits (including t k =30effective key bits) is revealed for a nonnegligible fraction of the keys in time Remark 2. By combining the results of different functions Γ one can get better results. Finding an optimal combination demands patience and detailed examination of different Γ s. We make this statement clearer by an example as follows. Detailed analysis of Γ {129,130} 31,0 [64] and Γ {150,151} 31,0 [64] showsthatthekeybitswhichtheydependonare {0 27, 64 90, } and {0 28, 64 90, }, respectively. These two functions have respectively 27 and 28 bits in common with the 30 key bits {0 19, 21 30} involved in Γ {41} 1,0 [64]. They also include the key bits {0, 32, 64} for which 1.75 information can be easily gained according to Ex. 1. Taking it altogether it can be said that a large amount of information about the 88 key bits {0 30, 32, 64 90, } can be achieved in time with a non-negligible probability. 7 Conclusion In this work we proposed a new analysis method for self-synchronizing stream ciphers which was applied to Klimov-Shamir s example of a construction of a T-function based

12 26 S. Khazaei and W. Meier self-synchronizing stream cipher. We did not fully break this proposal but the strong key leakage demonstrated by our results makes us believe a total break is not out of reach. In future design of self-synchronizing stream ciphers one has to take into account and counter potential key leakage. Acknowledgement. We would like to thank Martijn Stam for his helpful editorial comments. References 1. Aumasson, J.-P., Fischer, S., Khazaei, S., Meier, W., Rechberger, C.: New Features of Latin Dances: Analysis of Salsa, ChaCha, and Rumba. In: Nyberg, K. (ed.) FSE LNCS, vol. 5086, pp Springer, Heidelberg (2008) 2. Biham, E., Shamir, E.: Differential Cryptanalysis of DES-like Cryptosystems. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO LNCS, vol. 537, pp Springer, Heidelberg (1991) 3. Daemen, J., Knudsen, L.R., Rijmen, V.: The Block Cipher Square. In: Biham, E. (ed.) FSE LNCS, vol. 1267, pp Springer, Heidelberg (1997) 4. Dinur, I., Shamir, A.: Cube attacks on tweakable black box polynomials. Cryptology eprint Archive, Report 385 (2008) 5. Englund, H., Johansson, T., Turan, M.S.: A Framework for Chosen IV Statistical Analysis of Stream Ciphers. In: Srinathan, K., Rangan, C.P., Yung, M. (eds.) INDOCRYPT LNCS, vol. 4859, pp Springer, Heidelberg (2007) 6. estream - The ECRYPT Stream Cipher Project, 7. Fischer, S., Khazaei, S., Meier, W.: Chosen IV Statistical Analysis for Key Recovery Attacks on Stream Ciphers. In: Vaudenay, S. (ed.) AFRICACRYPT LNCS, vol. 5023, pp Springer, Heidelberg (2008) 8. Klimov, A., Shamir, A.: New Applications of T-Functions in Block Ciphers and Hash Functions. In: Gilbert, H., Handschuh, H. (eds.) FSE LNCS, vol. 3557, pp Springer, Heidelberg (2005) 9. Knudsen, L.R.: Truncated and Higher Order Differentials. In: Preneel, B. (ed.) FSE LNCS, vol. 1008, pp Springer, Heidelberg (1995) 10. Knudsen, L.R., Wagner, D.: Integral Cryptanalysis. In: Daemen, J., Rijmen, V. (eds.) FSE LNCS, vol. 2365, pp Springer, Heidelberg (2002) 11. O Neil, S.: Algebraic Structure Defectoscopy. Cryptology eprint Archive, Report 2007/378 (2007), Vielhaber, M.: Breaking ONE.FIVIUM by AIDA an Algebraic IV Differential Attack. Cryptology eprint Archive, Report 2007/413